{"id":1076,"date":"2011-02-02T22:03:44","date_gmt":"2011-02-02T20:03:44","guid":{"rendered":"http:\/\/www.void.gr\/kargig\/blog\/?p=1076"},"modified":"2011-02-07T06:43:25","modified_gmt":"2011-02-07T04:43:25","slug":"stopping-plesk-panel-attacks-with-ossec","status":"publish","type":"post","link":"https:\/\/www.void.gr\/kargig\/blog\/2011\/02\/02\/stopping-plesk-panel-attacks-with-ossec\/","title":{"rendered":"Stopping Plesk Panel attacks with OSSEC"},"content":{"rendered":"

During the past few weeks I’ve noticed increased brute forcing activity on various servers that I manage and run Plesk Panel<\/a>. Most of the entries look like this:
\n

189.205.227.115 - - [30\/Jan\/2011:07:14:19 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n189.205.227.115 - - [30\/Jan\/2011:07:14:19 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n189.205.227.115 - - [30\/Jan\/2011:07:14:19 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n189.205.227.115 - - [30\/Jan\/2011:07:14:21 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n189.205.227.115 - - [30\/Jan\/2011:07:14:21 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n189.205.227.115 - - [30\/Jan\/2011:07:14:23 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n189.205.227.115 - - [30\/Jan\/2011:07:14:23 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n<\/code2><\/pre>
\nThe side effect of all these attacks is increased server load.<\/p>\n
Since I already have ossec<\/a> monitoring these servers the solution was quite simple. I just added a couple more rules to ossec in order to stop these attacks.<\/p>\n
Two steps are necessary to stop these attacks:
\n1) Add plesk panel https log to monitor list in \/var\/ossec\/etc\/ossec.conf
\n
  <localfile>\n    <log_format>apache<\/log_format>\n    <location>\/opt\/psa\/admin\/logs\/httpsd_access_log<\/location>\n  <\/localfile> \n\n  <localfile>\n    <log_format>apache<\/log_format>\n    <location>\/opt\/psa\/admin\/logs\/httpsd_error_log<\/location>\n  <\/localfile>\n<\/code2><\/pre><\/p>\n
2) Create some custom rules to block (and notify me) of these attacks.
\n
<rule id="100144" level="1">\n    <if_sid>31100<\/if_sid>\n    <id>200<\/id>\n    <url>\/login_up.php3<\/url>\n    <description>Plesk Login.<\/description>\n  <\/rule>\n\n<rule id="100145" level="12" frequency="3" timeframe="60">\n    <if_matched_sid>100144<\/if_matched_sid>\n    <same_source_ip \/>\n    <description>Attack on plesk panel.<\/description>\n    <group>attack,<\/group>\n  <\/rule>\n<\/code2><\/pre><\/p>\n
That’s it. Ossec now monitors these files and blocks through iptables any attacks with active-response.<\/p>\n
Example notification mail:
\n
Received From: foo->\/opt\/psa\/admin\/logs\/httpsd_access_log\nRule: 100146 fired (level 12) -> "Attack on plesk."\nPortion of the log(s):\n\n189.205.227.115 - - [02\/Feb\/2011:20:19:56 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n189.205.227.115 - - [02\/Feb\/2011:20:19:55 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n189.205.227.115 - - [02\/Feb\/2011:20:19:54 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852\n<\/code2><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"
During the past few weeks I’ve noticed increased brute forcing activity on various servers that I manage and run Plesk Panel. Most of the entries look like this: 189.205.227.115 – – [30\/Jan\/2011:07:14:19 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852 189.205.227.115 – – [30\/Jan\/2011:07:14:19 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP\/1.1" 200 5852 189.205.227.115 – – [30\/Jan\/2011:07:14:19 +0100] "GET \/login_up.php3?passwd=setup&login_locale=default&login_name=admin […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[5,3],"tags":[326,324,325,328,595,327,70,329,217,209,206],"class_list":["post-1076","post","type-post","status-publish","format-standard","hentry","category-internet","category-linux","tag-apache","tag-brute-force","tag-https","tag-iptables","tag-linux","tag-log","tag-monitor","tag-notify","tag-ossec","tag-plesk","tag-security"],"aioseo_notices":[],"views":11191,"_links":{"self":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1076","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/comments?post=1076"}],"version-history":[{"count":8,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1076\/revisions"}],"predecessor-version":[{"id":1094,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1076\/revisions\/1094"}],"wp:attachment":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/media?parent=1076"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/categories?post=1076"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/tags?post=1076"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}